During dynamic analysis of web applications for security issues attacks on hypertext transport protocol (HTTP) requests are typically executed disconnected from an HTML object from which the HTTP requests were generated. The disconnected execution is performed for performance reasons and to eliminate any validations performed by the code of the web page. For example, rather than entering a cross site scripting payload in a text box of a search form and clicking on a search button, a scanner tests an HTTP request directly and repeatedly as in the statement: GET /search.jsp?query=<script>alert(1)</script>.
However the approach used in the example can cause problems when an HTTP request taken out of context has a dependency on the HTML from which it originated.
A typical example of this situation occurs when links are updated in the HTML with a new session identifier as in the following statement: <a href=“/search,jsessionid=1234?profile=jsmith”>Profile</>. In this example, HTTP requests disconnected from the HTML are sent with an invalid jsessionid value and are receive Out of Session messages.
Web application scanners typically provide a solution for the situation of the example in a simplistic manner. Typically scanners have a configuration setting instructing the scanner that jsessionid is a session identifier and when the scanner processes a response the scanner searches the response for the jsessionid value and updates all the requests with a new value identified.
The solution however requires expert knowledge and many complicated heuristics to identify session identifiers that the scanner has not predefined. In another example a web application uses a unique identifier to identify links. The identifier is referred to as sessnav because the identifier controls navigation for each session. Links are then defined as follows:
http://site.com/index?sessnav=1234
http://site.com/index?sessnav=9762
http://site.com/index?sessnav=3242
Each link has a different sessnav value and a link changes whenever a user logs into a session. Using current solutions of updating the sessnav identifier from the HTML (which is disconnected) would update sessnav with the first encountered value of 1234 for all links, which would accordingly be an incorrect setting for the remaining link references.